[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: rewrite a login into a dn in simple bind
Hi Quanah,
Quanah Gibson-Mount <quanah@stanford.edu> writes:
> --On Thursday, October 09, 2003 2:00 PM -0400 Ace Suares
> <ace@suares.nl> wrote:
>
>> A way out could be to make a separate tree (or an entirely separate
>> database) where you store the dn and the uid, and since you control that
>> database, you can give access to it by anonymous, to find the dn, and
>> then bind to the 'real' database with the found dn and the password.
>> Obviously, keeping the second database in sync with the main database
>> will be a pain. It could be done, but it seems there are various
>> obstacles in your way.
>
> One solution to this, would be if OpenLDAP would allow you to populate
> only portions of a tree. That currently isn't possible in 2.1. It
> is, however, possible in 2.2 if you use syncRepl instead of slurpd.
> Since the slave drives the update process, and can only update what it
> is allowed to access on the master, you can make different replicas
> contain different amounts of data -- in essence, you could have a
> replica that contained only the dn and uid (plus the required
> operational attributes).
That is possible in 2.1
Just an example slapd.conf
##########################
## subordinate database ##
##########################
database bdb
suffix "ou=addressbook,o=myCompany"
rootdn "cn=admin,o=myCompany"
directory /usr/local/var/openldap-data
subordinate
replogfile /usr/local/var/openldap-slurp/slapd.replog
replica host=ldap2.mycompany.com
binddn=xxxxxx
bindmethod=xxxxxx
##########################
## superior database ##
##########################
database bdb
suffix "o=myCompany"
rootdn "cn=admin,o=myCompany"
rootpw {SSHA}xxxxxxxx
directory /var/openldap-data
-Dieter
PS
IOU a script, shame on me :-(
--
Dieter Kluenter | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de